Decryption device

ABSTRACT

A decryption device includes: an internal-key storage section for storing an internal-key; a content-key storage section for storing a content-key; a determination section for determining whether or not a value of the content-key storage section in its initial state and a current value of the content-key storage section are different; and an operation section, the operation section including a first decrypting section which, when an encrypted content-key is input to the operation section, decrypts the encrypted content-key using the internal-key so as to obtain a content-key and stores the content-key in the content-key storage section, and a second decrypting section which, when an encrypted content is input to the operation section and the determination section determines that the value of the content-key storage section in its initial state and the current value of the content-key storage section are different, decrypts the encrypted content using the current value of the content-key storage section as a content-key so as to obtain a first output data and outputs the first output data to outside of the decryption device.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The present invention relates to a decryption device and anencryption/decryption device for encrypting/decrypting digital contents,such as music, image, video, game, etc.

[0003] 2. Description of the Related art

[0004] In recent years, along with the propagation of digital contents,such as music, image, video, game, etc., preventing fraudulent acts onsuch digital contents has been becoming more important for protectingrights of a copyright owner, and a profit of a distributor, of suchdigital contents. The fraudulent acts include, for example, fraudulentobtainment of digital contents by means of interception ofcommunications, eavesdropping, pretending to be an authorized person,etc., and making an illegal copy from and illegal alteration to datareceived and stored in a recording medium. In order to prevent thesefraudulent acts, copyright protection techniques, such asencryption/authentication for determining whether or not it is anauthorized system or for data scrambling, are required.

[0005] In recent years, copyright protection techniques have beenprovided in various consumer products. In general, areproduction/recording apparatus for digital contents achievesencrypting/decrypting processing using an encryption/decryption devicefor performing encrypting/decrypting operations and a master controldevice for controlling the encryption/decryption device.

[0006] As described in the following, in the reproduction/recordingapparatus, reproduction processing is performed using an encryptedcontent and an encrypted key (encrypted content-key) for decrypting theencrypted content.

[0007] In the first step, the master control device of thereproduction/recording apparatus reads data from a memory device(storage medium) storing encrypted contents and encrypted content-keys.An encrypted content-key read from the master control device is input toan encryption/decryption device. The encryption/decryption devicedecrypts this encrypted content-key using an internal-key, therebyobtaining a content-key. Then, the master control device inputs anencrypted content read from the memory device to theencryption/decryption device. The encryption/decryption device decryptsthe encrypted content using the obtained content-key and outputs thedecrypted content to the master control device. In this way, thereproduction processing for the encrypted content is performed.

[0008] Furthermore, in the reproduction/recording apparatus, recordingprocessing is performed as follows.

[0009] In the first step, the master control device issues a content-keygeneration instruction to the encryption/decryption device, whereby acontent-key used for encrypting a content is generated inside theencryption/decryption device. The encryption/decryption device encryptsthe content-key using the internal-key so as to obtain an encryptedcontent-key, and outputs the encrypted content-key to the master controldevice. Then, the master control device inputs a content to theencryption/decryption device. The encryption/decryption device encryptsthe content and outputs the encrypted content to the master controldevice. Thereafter, the master control device transfers the encryptedcontent and its encrypted content key to the memory device, whereby therecording processing is performed.

[0010] The encryption/decryption device operates in response to commandsfrom the master control device. In the reproduction/recording apparatus,when the master control device is not tamper-resistant, theencryption/decryption device may be fraudulently operated. For example,it is possible to give the encryption/decryption device a command toencrypt or decrypt a content without providing a content-key in theencryption/decryption device.

[0011] In a conventional encryption/decryption device, in the case ofencrypting a content or decrypting an encrypted content, encrypting ordecrypting processing is initiated based on only a command supplied fromoutside. Therefore, when the encryption/decryption device receives acommand to encrypt a content or decrypt an encrypted content withoutproviding a content-key in the encryption/decryption device, theencryption/decryption device erroneously recognizes a value of a memoryregion in the encryption/decryption device, which is provided forstoring a content-key, as a content-key, and this value is used as acontent-key to encrypt a content or decrypt an encrypted content.

[0012] Such a value of the memory region is believed to be always thesame when the encryption/decryption device is in the initial state e.g.,immediately after the encryption/decryption device is powered-on.Furthermore, encryption/decryption devices produced based on the samestandard operate in a similar manner. In the present specification, thevalue of the memory region in the encryption/decryption device, which isprovided for storing a content-key when the encryption/decryption deviceis in the initial state, e.g., immediately after theencryption/decryption device is powered-on, is referred to as an“initial content-key”.

[0013] By fraudulently operating the encryption/decryption device, it ispossible to encrypt a content or decrypt an encrypted content using theinitial content-key. A typical example of fraudulent acts achieved bysuch a fraudulent operation is now described in the following steps{circle over (1)}, {circle over (2)}, and {circle over (3)}:

[0014] {circle over (1)} A correlation between input data to and outputdata from the decryption device which decrypts an encrypted contentusing an initial content-key is examined. The output data is a result ofdecrypting the input data using the initial content-key. A correlationis examined for a number of pairs of input data and output data, wherebythe initial content-key and an algorithm for decrypting processing aredeciphered.

[0015] {circle over (2)} When the initial content-key and the algorithmfor decrypting processing are deciphered at step {circle over (1)}, anencryption device which encrypts any content using the initialcontent-key can be fraudulently achieved. With such a fraudulentencryption device, it is possible to encrypt a content using the initialcontent-key and produce a fraudulent medium in which the encryptedcontent is recorded.

[0016] Alternatively, with the encryption device which performsencryption with the initial content-key, step {circle over (2)} can beachieved without step {circle over (1)}.

[0017] {circle over (3)} Data in the fraudulent medium produced at step{circle over (2)} can be fraudulently decrypted by a decryption devicewhich decrypts an encrypted content using the initial content-key. Sucha decryption device which can fraudulently decrypt an encrypted contentis not limited to the decryption device used in step {circle over (1)}.Any decryption device may be used so long as it has the same initialcontent-key as that of the decryption device used in step {circle over(1)}. Furthermore, the decryption device does not need to be the same asthe decryption device used in step {circle over (2)}. Therefore, such afraudulent act can widely propagate without being limited within asingle encryption/decryption device.

[0018] Thus, in the conventional encryption/decryption device, when theencryption/decryption device is fraudulently operated such that acontent is encrypted or an encrypted content is decrypted using theinitial content-key, there is a possibility that the security of theencryption/decryption device may be deteriorated.

SUMMARY OF THE INVENTION

[0019] According to one aspect of the present invention, a decryptiondevice includes: an internal-key storage section for storing aninternal-key; a content-key storage section for storing a content-key; adetermination section for determining whether or not a value of thecontent-key storage section in its initial state and a current value ofthe content-key storage section are different; and an operation section,the operation section including a first decrypting section which, whenan encrypted content-key is input to the operation section, decrypts theencrypted content-key using the internal-key so as to obtain acontent-key and stores the content-key in the content-key storagesection, and a second decrypting section which, when an encryptedcontent is input to the operation section and the determination sectiondetermines that the value of the content-key storage section in itsinitial state and the current value of the content-key storage sectionare different, decrypts the encrypted content using the current value ofthe content-key storage section as a content-key so as to obtain a firstoutput data and outputs the first output data to outside of thedecryption device.

[0020] In one embodiment of the present invention, the decryption devicefurther includes a content-key generation section which generates acontent-key for encrypting a content based on random numbers and storesthe generated content-key in the content-key storage section, whereinthe operation section further includes a first encrypting section whichencrypts the content-key for encrypting a content so as to obtain anencrypted content-key and outputs the encrypted content-key to outsideof the decryption device, and a second encrypting section which, when acontent is input to the operation section and the determination sectiondetermines that the value of the content-key storage section in itsinitial state and the current value of the content-key storage sectionare different, encrypts the content using the current value of thecontent-key storage section as a content-key so as to obtain a secondoutput data and outputs the second output data to outside of thedecryption device.

[0021] In another embodiment of the present invention, the decryptiondevice further includes a mutual authentication section for determiningwhether or not a mutual authentication has been made between the mutualauthentication section and a storage device which is located outside thedecryption device and stores the encrypted content-key, wherein thesecond decrypting section decrypts the encrypted content when the mutualauthentication section determines that the mutual authentication hasbeen made.

[0022] In still another embodiment of the present invention, theinternal-key storage section stores a plurality of internal-keys; andthe internal-key storage section selects one of the plurality ofinternal-keys as the internal-key based on internal-key selectioninformation input from outside the decryption device to the decryptiondevice.

[0023] Now, functions of the present invention are described.

[0024] A decryption device according to the present invention has adetermination section for determining whether or not a value of acontent-key storage section in its initial state and a current value ofthe content-key storage section are different. When an encrypted contentis input to an operation section, and a value of the content-key storagesection in its initial state and the determination section determinesthat a current value of the content-key storage section are different, asecond decrypting section included in the operation section performsdecrypting processing for the encrypted content. With such anarrangement, the decrypting processing for the encrypted content isprevented from being performed while the value of the content-keystorage section is in the initial state. That is, the decryptingprocessing for the encrypted content is prevented from being performedusing an initial content-key. Thus, the security of the decryptiondevice is improved.

[0025] When a decryption device according to the present inventionfurther includes a second encrypting section, the decryption devicefunctions as an encryption/decryption device. When a content is input toan operation section, and a determination section determines that avalue of the content-key storage section in its initial state and acurrent value of the content-key storage section are different, thesecond encrypting section encrypts the content using the current valueof the content-key storage section as a content-key so as to obtain asecond output data, and outputs the first output data to outside of theencryption/decryption device. With such an arrangement, the encryptingprocessing for the content is prevented from being performed while thevalue of the content-key storage section is in the initial state. Thatis, the encrypting processing for the content is prevented from beingperformed using an initial content-key. Thus, the security of theencryption/decryption device is improved.

[0026] Thus, the invention described herein makes possible the advantageof providing an encryption/decryption device with improved security thatcan prevent a fraudulent operation in which a content is encrypted or anencrypted content is decrypted using the initial content-key.

[0027] This and other advantages of the present invention will becomeapparent to those skilled in the art upon reading and understanding thefollowing detailed description with reference to the accompanyingfigures.

BRIEF DESCRIPTION OF THE DRAWINGS

[0028]FIG. 1 is a block diagram showing a structure of a decryptiondevice 101 according to embodiment 1 of the present invention.

[0029]FIG. 2 is a block diagram showing an exemplary internal structureof the decrypting operation section 103.

[0030]FIG. 3 shows an exemplary internal structure of the statetransition management section 111 of FIG. 1.

[0031]FIG. 4 is a block diagram showing a structure of anencryption/decryption device 201 according to embodiment 2 of thepresent invention.

[0032]FIG. 5 is a block diagram showing an exemplary internal structureof the encrypting/decrypting operation section 203.

[0033]FIG. 6 is a block diagram showing a structure of a decryptiondevice 401 according to embodiment 3 of the present invention.

[0034]FIG. 7 is a block diagram showing a structure of a decryptiondevice 301 which includes a content-key verification section 315 inaddition to the components of the decryption device 101 according toembodiment 1.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0035] Hereinafter, embodiments of the present invention will bedescribed with reference to the drawings. In the present specification,a “decryption device” is a device which has a function for decryptingencrypted data (decrypting function); and an “encryption/decryptiondevice” is a device which has both the decrypting function and afunction for encrypting data (encryption function). Thus, in the presentspecification, a concept of decryption devices includesencryption/decryption devices.

Embodiment 1

[0036]FIG. 1 shows a structure of a decryption device 101 according toembodiment 1 of the present invention. The decryption device 101decrypts input data 102 based on information from a master device 100which acts as a host (the input data 102, internal-key selectioninformation 106, and processing mode information 108).

[0037] The decryption device 101 is used with the master device 100, andis mounted on a reproduction/recording apparatus (not shown). The masterdevice 100 has a function for reading encrypted contents and encryptedcontent-keys from a predetermined region 412 in a memory device 316.

[0038] The memory device 316 may be any recording medium. In theillustrated embodiment, the memory device 316 is a semiconductor storagemedium.

[0039] The decryption device 101 includes an internal-key storagesection 105, a state transition management section 111, a processingmode selection section 109, a decrypting operation section 103, and acontent-key storage section 107.

[0040] The internal-key storage section 105 stores an internal-keyinherent to the decryption device 101. The internal-key storage section105 is provided in a region of the decryption device 101 which isinaccessible from outside. The internal-key storage section 105 storesthe internal-key inherent to the decryption device 101 in a hard-wiredmanner, or in a ROM or a non-volatile memory. The internal-key storagesection 105 may store a plurality of internal-keys. In the case wherethe internal-key storage section 105 stores a plurality ofinternal-keys, one of the plurality of internal-keys is selected basedon the internal-key selection information 106 input from the masterdevice 100.

[0041] The content-key storage section 107 stores content-keys fordecrypting encrypted contents.

[0042] The state transition management section 111 determines whether ornot a content-key (a content-key for decrypting encrypted contents) isstored in the content-key storage section 107. In particular, the statetransition management section 111 functions as a determination sectionfor determining whether or not a value of the content-key storagesection 107 in its initial state and a current value of the content-keystorage section 107 are different. When the current value of thecontent-key storage section 107 is the same as the value of thecontent-key storage section 107 in its initial state, the content-keystorage section 107 does not include any content-key, i.e., the statetransition management section 111 determines that the value of thecontent-key storage section 107 is an initial content-key. The statetransition management section 111 transmits to the decrypting operationsection 103 determination information 1101 which indicates whether ornot the value of the content-key storage section 107 in its initialstate and a current value of the content-key storage section 107 aredifferent.

[0043] The processing mode selection section 109 interprets theprocessing mode information 108 input from the master device 100. Theprocessing mode information 108 is a command supplied from the masterdevice 100 to the decryption device 101. The decryption device 101performs two types of decrypting processing, i.e., decrypting processingfor an encrypted content-key and decrypting processing for an encryptedcontent. Thus, the processing mode information 108 supplied as a commandfrom the master device 100 to the decryption device 101 indicates whichdecrypting processing should be performed by the decryption device 101.The processing mode selection section 109 outputs control information1102 to the decrypting operation section 103 based on the result of theinterpretation of the processing mode information 108.

[0044] In this way, the processing mode selection section 109 interpretsthe processing mode information 108 and controls the decryptingoperation section 103 based on the result of the interpretation.However, when the decrypting operation section 103 is directlycontrolled by the processing mode information 108 supplied from themaster device 100, the processing mode selection section 109 can beomitted.

[0045] The decrypting operation section (operation section) 103 performstwo types of decrypting processing, i.e., decrypting processing for anencrypted content-key and decrypting processing for an encryptedcontent.

[0046]FIG. 2 schematically shows an exemplary internal structure of thedecrypting operation section 103.

[0047] The decrypting operation section 103 includes a first decryptingsection 1201 for decrypting an encrypted content-key and a seconddecrypting section 1202 for decrypting an encrypted content.

[0048] The first decrypting section 1201 is activated when theprocessing mode information 108 from the master device 100 (FIG. 1)indicates the decrypting processing for an encrypted content-key. Whenan encrypted content-key is input as input data 102 from the masterdevice 100 to the first decrypting section 1201, the first decryptingsection 1201 decrypts the encrypted content-key using an internal-keystored in the internal-key storage section 105. The decrypted data isstored as a content-key in the content-key storage section 107.

[0049] The second decrypting section 1202 is activated when theprocessing mode information 108 from the master device 100 (FIG. 1)indicates the decrypting processing for an encrypted content. When anencrypted content (data including encrypted digital content such asmusic, image, video, game, etc.) is input as input data 102 from themaster device 100 to the second decrypting section 1202, and thedetermination information 1101 output from the state transitionmanagement section 111 indicates that “the value of the content-keystorage section 107 in its initial state and a current value of thecontent-key storage section 107 are different”, the second decryptingsection 1202 decrypts the encrypted content using the value of thecontent-key storage section 107 as a content-key. The decrypted data(first output data) is output to the master device 100 as output data104. In this example, the first output data is a content obtained bydecrypting the encrypted content.

[0050] In this way, the second decrypting section 1202 performs thedecrypting processing for an encrypted content after it has beenconfirmed that “the value of the content-key storage section 107 in itsinitial state and a current value of the content-key storage section 107are different”. With such an arrangement, even when the master device100 is not tamper-resistant (hence, even when fraudulent input data andprocessing mode information are input to the decryption device 101through fraudulent routes 102 a and 108 a), the decrypting processingfor an encrypted content is prevented from being performed while thecontent-key storage section 107 is in the initial state. That is, thedecrypting processing for an encrypted content is prevented from beingperformed using an initial content-key. Thus, steps {circle over (1)}and {circle over (3)} in the above-described typical example offraudulent acts are prevented from being performed and, accordingly, adecryption device with improved security is achieved.

[0051] The decryption device 101 may be, for example, an ASIC(Application Specified IC). The master device 100 may be, for example,an MPU (Microprocessor Unit). Thus, the decryption device 101 may beproduced as a single semiconductor package.

[0052] Any encryption/decryption algorithm may be employed for thedecrypting processing performed in the first decrypting section 1201 andthe second decrypting section 1202 of the decrypting operation section103. For example, the DES (Data Encryption Standard) may be employed.Furthermore, the length of an internal-key and a content -key may be anybit. For example, it may be 56 bits.

[0053] The internal structure of the decrypting operation section 103 isnot limited to the internal structure shown in FIG. 2. The firstdecrypting section 1201 and the second decrypting section 1202 may havethe same structure. Thus, the first decrypting section 1201 and thesecond decrypting section 1202 may be provided as a single decryptingsection.

[0054]FIG. 3 shows an exemplary internal structure of the statetransition management section 111 of FIG. 1. The state transitionmanagement section 111 is connected to the content-key storage section107. The state transition management section 111 includes a register1301 and a comparator 1302. The register 1301 holds the value of aninput 1303 (the value of the content-key storage section 107) at thetime when a pulse signal is input to a latch input 1305. The comparator1302 compares an output 1304 of the register 1301 and the input 1303(the value of the content-key storage section 107) so as to output acomparison result 1306. The comparison result 1306 is input to thedecrypting operation section 103 (FIG. 1) as the determinationinformation 1101.

[0055] The latch input 1305 of the register 1301 receives a POR (PowerOn Reset) signal. The POR signal is a signal which pulses only onceimmediately after power-on. A power supply used for the power-on may be,for example, a power supply for the decryption device 101 or a powersupply for a reproduction/recording apparatus (not shown) on which thedecryption device 101 is mounted. After the power-on, a value of thecontent-key storage section 107 immediately after the power-on is heldin the register 1301. Accordingly, the comparator 1302 compares thevalue of the content-key storage section 107 immediately after thepower-on and a current value of the content-key storage section 107.When these values are equal, the output (comparison result) 1306 of thecomparator 1302 is “0”; otherwise, the output 1306 of the comparator1302 is non-zero.

[0056] In this way, the state transition management section 111 candetermine whether or not the value of the content-key storage section107 in its initial state and a current value of the content-key storagesection 107 are different. In the above example, the initial state is astate immediately after the power-on, but according to the presentinvention, the initial state is not limited thereto. For example, theinitial state may be a state immediately after the whole decryptiondevice 101 is reset. A pulse signal is input to the latch input 1305 ofthe state transition management section 111 immediately after anyinitial state, whereby the state transition management section 111 candetermine whether or not the value of the content-key storage section107 in its initial state and a current value of the content-key storagesection 107 are different.

[0057] The structure of the state transition management section 111 isnot limited to the structure shown in FIG. 3. The state transitionmanagement section 111 may have any structure so long as it has afunction for determining whether or not the value of the content-keystorage section 107 in its initial state and a current value of thecontent-key storage section 107 are different.

Embodiment 2

[0058]FIG. 4 shows a structure of an encryption/decryption device(decryption device) 201 according to embodiment 2 of the presentinvention. The encryption/decryption device 201 includes anencrypting/decrypting operation section 203 in place of the decryptingoperation section 103 of the decryption device 101. Furthermore, theencryption/decryption device 201 includes a content-key generationsection 213. In FIG. 4, like elements are indicated by like referencenumerals used in FIG. 1, and detailed descriptions thereof are omitted.

[0059] The encryption/decryption device 201 is used with a master device200, and is mounted on a reproduction/recording apparatus (not shown).The master device 200 has a function for reading/writing encryptedcontents and encrypted content-keys from/in a predetermined region 412in a memory device 316.

[0060] The encrypting/decrypting device 201 performs four types ofprocessing, i.e., decrypting processing for an encrypted content-key,decrypting processing for an encrypted content, generation processingfor generating a content-key, and encrypting processing for encryptingcontents. Thus, a processing mode information 108 supplied as a commandfrom the master device 200 to the encryption/decryption device 201indicates which processing should be performed by theencryption/decryption device 201.

[0061] When the processing mode information 108 indicates the decryptingprocessing for an encrypted content-key, the content-key generationsection 213 generates at random a content-key for encrypting contents,and the generated content-key is stored in the content-key storagesection 107. For example, the content-key for encrypting contents isgenerated based on random numbers. The random numbers are generated bygenerating integers at random using a clock counter, for example.

[0062]FIG. 5 shows an exemplary internal structure of theencrypting/decrypting operation section 203. The encrypting/decryptingoperation section (operation section) 203 includes, in addition to thecomponents of the decrypting operation section 103 shown in FIG. 2, afirst encrypting section 1501 for encrypting content-keys and a secondencrypting section 1502 for encrypting contents. In FIG. 5, likeelements are indicated by like reference numerals used in FIG. 2, anddetailed descriptions thereof are omitted.

[0063] The first encrypting section 1501 is activated when theprocessing mode information 108 from the master device 200 (FIG. 4)indicates the encrypting processing for a content-key. When theprocessing mode information 108 indicates the encrypting processing fora content-key, the content-key generation section 213 (FIG. 4) generatesa content-key for encrypting contents based on the random numbers asdescribed above. The first encrypting section 1501 encrypts thecontent-key for encrypting contents using an internal-key stored ininternal-key storage section 105, thereby obtaining an encryptedcontent-key (second encrypted content-key). This encrypted content-keyis output as output data 104 to the master device 200 located outsidethe encryption/decryption device 201.

[0064] The second encrypting section 1502 is activated when theprocessing mode information 108 from the master device 200 (FIG. 4)indicates the encrypting processing for a content. When the content isinput as input data 102 from the master device 200 (FIG. 4) to thesecond encrypting section 1502, and the determination information 1101output from the state transition management section 111 indicates that“the value of the content-key storage section 107 in its initial stateand a current value of the content-key storage section 107 aredifferent”, the second encrypting section 1502 encrypts the contentusing the value of the content-key storage section 107 as a content-key.The encrypted data (second output data) is output to the master device200 as output data 104. In this example, the second output data is anencrypted content obtained by encrypting the content.

[0065] In this way, the second encrypting section 1502 performs theencrypting processing for a content after it has confirmed that “thevalue of the content-key storage section 107 in its initial state and acurrent value of the content-key storage section 107 are different”.With such an arrangement, even when the master device 200 is nottamper-resistant, the encrypting processing for a content is preventedfrom being performed while the content-key storage section 107 is in theinitial state. That is, the encrypting processing for a content isprevented from being performed using an initial content-key. Thus, step{circle over (2)} in the above-described typical example of fraudulentacts is prevented from being performed and, accordingly, a decryptiondevice with improved security is achieved.

[0066] The encryption/decryption device 201 may be, for example, an ASIC(Application Specified IC). The master device 200 may be, for example,an MPU (Microprocessor Unit). Therefore, the encryption/decryptiondevice 201 may be produced as a single semiconductor package.

[0067] Any encryption/decryption algorithm may be employed forencrypting processing performed in the first encrypting section 1501 andthe second encrypting section 1502 of the encrypting/decryptingoperation section 203. For example, the DES (Data Encryption Standard)may be employed.

[0068] The internal structure of the encrypting/decrypting operationsection 203 is not limited to the internal structure shown in FIG. 5.The first encrypting section 1501 and the second encrypting section 1502may have the same structure. Thus, the first encrypting section 1501 andthe second encrypting section 1502 may be provided as a singledecrypting section.

Embodiment 3

[0069]FIG. 6 shows a structure of a decryption device 401 according toembodiment 3 of the present invention. The decryption device 401includes a mutual authentication section 417 in addition to thecomponents of the decryption device 101 shown in FIG. 1. In FIG. 6, likeelements are indicated by like reference numerals used in FIG. 1, anddetailed descriptions thereof are omitted.

[0070] The decryption device 401 is used with the master device 400, andis mounted on a reproduction/recording apparatus (not shown). The masterdevice 400 has a function for reading encrypted contents and encryptedcontent-keys from a predetermined region 412 in a memory device 416.

[0071] The memory device 416 may be any recording medium. In theillustrated embodiment, the memory device 416 is a semiconductor storagemedium. The memory device 416 has a mutual authentication section 414.

[0072] A mutual authentication is made between the mutual authenticationsection 414 of the memory device 416 and the mutual authenticationsection 417 of the decryption device 401. Any mutual authenticationprocedure may be used for the mutual authentication between the mutualauthentication sections 414 and 417. A mutual authentication procedureknown as a challenge-response system is one example of the mutualauthentication procedure used between the mutual authentication sections414 and 417.

[0073] The state transition management section 111 determines whether ornot the mutual authentication has been made. When the state transitionmanagement section 111 determines that the mutual authentication hasbeen made, the second decrypting section 1202 (FIG. 2) of the decryptingoperation section 103 decrypts an encrypted content.

[0074] In the example shown in FIG. 6, the state transition managementsection 111 determines whether or not the mutual authentication has beenmade. However, according to the present invention, the mutualauthentication section 417 may carry out the determination.

[0075] In the decryption device 401 according to the present invention,the validity of the memory device 416 storing an encrypted content-keyis confirmed. Thus, it is possible to more securely prevent thedecrypting processing for contents from being fraudulently operated.

[0076] Furthermore, in the decryption device 401 according to thepresent invention, reading from a “fraudulent medium” (memory device),as in step {circle over (3)} of the above-described typical example offraudulent acts, is prevented in a more secure manner. Accordingly, thesecurity of the decryption device 401 is improved.

[0077] According to the present invention, the encryption/decryptiondevice 201 shown in FIG. 4 may include the mutual authentication section417 shown in FIG. 6. In this case, the second encrypting section 1502(FIG. 5) of the encrypting/decrypting operation section 203 performsencrypting processing for a content when the mutual authentication hasbeen made, whereby the security of the decryption device 201 isimproved.

[0078] Furthermore, the decryption device (or encryption/decryptiondevice) according to each of embodiments 1-3 may include a content-keyverification section which contains a verification pattern and whichdetermines whether a content-key is valid or not.

[0079]FIG. 7 shows a structure of a decryption device 301 including acontent-key verification section 315 in addition to the components ofthe decryption device 101 (FIG. 1) according to embodiment 1.

[0080] The decrypting operation section 103 decrypts an encryptedverification pattern using a value of the content-key storage section107 as a content-key, thereby obtaining a decrypted data. If thisdecrypted data matches a verification pattern stored in the content-keyverification section 315, it is determined that the value of thecontent-key storage section 107 is a valid content-key.

[0081] The second decrypting section 1202 of the decrypting operationsection 103 (FIG. 2) performs decrypting processing for contents onlywhen the value of the content-key storage section 107 is a validcontent-key. With such an arrangement,an invalid content-key (e.g., aninitial content-key) is prevented from being used for decryptingcontents.

[0082] A decryption device according to the present invention has adetermination section for determining whether or not a value of acontent-key storage section in its initial state and a current value ofthe content-key storage section are different. When an encrypted contentis input to an operation section, and a value of the content-key storagesection in its initial state and the determination section determinesthat a current value of the content-key storage section are different, asecond decrypting section included in the operation section performsdecrypting processing for the encrypted content. With such anarrangement, the decrypting processing for the encrypted content isprevented from being performed while the value of the content-keystorage section is in the initial state. That is, the decryptingprocessing for the encrypted content is prevented from being performedusing an initial content-key. Thus, the security of the decryptiondevice is improved.

[0083] When a decryption device according to the present inventionfurther includes a second encrypting section, the decryption devicefunctions as an encryption/decryption device. When a content is input toan operation section, and a determination section determines that avalue of the content-key storage section in its initial state and acurrent value of the content-key storage section are different, thesecond encrypting section encrypts the content using the current valueof the content-key storage section as a content-key so as to obtain asecond output data, and outputs the first output data to outside of theencryption/decryption device. With such an arrangement, the encryptingprocessing for the content is prevented from being performed while thevalue of the content-key storage section is in the initial state. Thatis, the encrypting processing for the content is prevented from beingperformed using an initial content-key. Thus, the security of theencryption/decryption device is improved.

[0084] Various other modifications will be apparent to and can bereadily made by those skilled in the art without departing from thescope and spirit of this invention. Accordingly, it is not intended thatthe scope of the claims appended hereto be limited to the description asset forth herein, but rather that the claims be broadly construed.

What is claimed is:
 1. A decryption device, comprising: an internal-keystorage section for storing an internal-key; a content-key storagesection for storing a content-key; a determination section fordetermining whether or not a value of the content-key storage section inits initial state and a current value of the content-key storage sectionare different; and an operation section, the operation section includinga first decrypting section which, when an encrypted content-key is inputto the operation section, decrypts the encrypted content-key using theinternal-key so as to obtain a content-key and stores the content-key inthe content-key storage section, and a second decrypting section which,when an encrypted content is input to the operation section and thedetermination section determines that the value of the content-keystorage section in its initial state and the current value of thecontent-key storage section are different, decrypts the encryptedcontent using the current value of the content-key storage section as acontent-key so as to obtain a first output data and outputs the firstoutput data to outside of the decryption device.
 2. A decryption deviceaccording to claim 1 , further comprising a content-key generationsection which generates a content-key for encrypting a content based onrandom numbers and stores the generated content-key in the content-keystorage section, wherein the operation section further includes a firstencrypting section which encrypts the content-key for encrypting acontent so as to obtain an encrypted content-key and outputs theencrypted content-key to outside of the decryption device, and a secondencrypting section which, when a content is input to the operationsection and the determination section determines that the value of thecontent-key storage section in its initial state and the current valueof the content-key storage section are different, encrypts the contentusing the current value of the content-key storage section as acontent-key so as to obtain a second output data and outputs the secondoutput data to outside of the decryption device.
 3. A decryption deviceaccording to claim 1 , further comprising a mutual authenticationsection for determining whether or not a mutual authentication has beenmade between the mutual authentication section and a storage devicewhich is located outside the decryption device and stores the encryptedcontent-key, wherein the second decrypting section decrypts theencrypted content when the mutual authentication section determines thatthe mutual authentication has been made.
 4. A decryption deviceaccording to claim 1 , wherein: the internal-key storage section storesa plurality of internal-keys; and the internal-key storage sectionselects one of the plurality of internal-keys as the internal-key basedon internal-key selection information input from outside the decryptiondevice to the decryption device.